should not allow to can? when raw sql without block is present

2010-09-24 17:15:09 +08:00
parent 1f81b8dd1e
commit 12037d7f43
4 changed files with 38 additions and 1 deletions
--- a/spec/cancan/ability_spec.rb
+++ b/spec/cancan/ability_spec.rb
@@ -317,6 +317,13 @@ describe CanCan::Ability do
    end
    @ability.should have_block(:read, :foo)
  end
+  
+  it "should know when raw sql is used in conditions" do
+    @ability.can :read, :foo
+    @ability.should_not have_raw_sql(:read, :foo)
+    @ability.can :read, :foo, 'false'
+    @ability.should have_raw_sql(:read, :foo)
+  end

  it "should raise access denied exception with default message if not specified" do
    begin
--- a/spec/cancan/active_record_additions_spec.rb
+++ b/spec/cancan/active_record_additions_spec.rb
@@ -56,4 +56,18 @@ describe CanCan::ActiveRecordAdditions do
    stub(@model_class).scoped{|*args| args.inspect}
    @model_class.accessible_by(@ability).should == :found_records
  end
+  
+  it "should not allow to fetch records when ability with just block present" do
+    @ability.can :read, @model_class do false end
+    lambda {
+      @model_class.accessible_by(@ability)
+    }.should raise_error(CanCan::Error)
+  end
+  
+  it "should not allow to check ability on object when nonhash sql ability definition without block present" do
+    @ability.can :read, @model_class, ['bar = ?', 1]
+    lambda {
+      @ability.can? :read, @model_class.new
+    }.should raise_error(CanCan::Error)
+  end
 end